Heart-Stopper: Could Hackers Hit Pacemakers, Other Medical Implants?

It sounds like the far-fetched plot of a sci-fi thriller: Bad guys strike down a high-ranking politician or captain of industry by hacking into and remotely tinkering with his or her pacemaker, insulin pump, implantable cardioverter defibrillator (ICD) or other medical implant. Unfortunately, new research shows such a scenario is no longer just science fiction.

Scientists from Harvard Medical School's Beth Israel Deaconess Medical Center in Boston, the University of Massachusetts Amherst and the University of Washington in Seattle say they were able to launch cyber strikes against and glean private patient data from an ICD's communication protocol while testing the device's safety and security.

The researchers tested a Maximo DR VVEDDDR (manufactured by Minneapolis-based Medtronic, Inc.), because it is a typical ICD with pacemaking (steady, periodic electrical stimulation) and defibrillation (single, large shock) functions that communicates with an external monitoring device smaller than a laptop. The monitoring device has a handheld antenna that the patient holds over his or her chest, where the ICD is implanted, to read information wirelessly. The scientists acknowledge their findings are limited to this particular ICD (available in the U.S. since 2003), but warn that it highlights potential dangers that manufacturers must address.

Surgeons routinely implant ICDs and pacemakers in patients with irregular heartbeats, generally placing them just under the skin below a patient's clavicle (collarbone) and attaching its whisker-thin wires inside the heart muscle or on its surface. An irregular heartbeat triggers the implanted device to send electrical shocks to restore a normal rhythm. Most such devices register and record such events, information that health care workers can access wirelessly via monitoring devices.

Imagine the consequences, though, if someone were to maliciously reconfigure a pacemaker remotely so that it fails to shock a speeding heart or, conversely, jolts one that is beating normally. Yet that is just what researchers caution could happen in a paper they are scheduled to present at the 2008 IEEE Symposium on Security and Privacy in Oakland, Calif., in May. In the paper, published on their Medical Device Security Center Web site, they wrote they had no trouble accessing unencrypted sensitive information in the ICD—including patient records and vital signs—and then reprogramming the settings determining when the appliance should administer electric shocks.

"Balancing security and privacy with safety and efficacy will become increasingly important as [implanted medical device] technologies evolve," the researchers wrote. They stressed that patients with ICDs, pacemakers, neurostimulators, implantable drug pumps and similar implantable medical devices (IMD) are not in imminent danger, pointing out that "no IMD patient has ever been harmed by a malicious security attack" to their knowledge. But they noted that tighter security and privacy controls are needed to prevent against potential strikes in the future.

Among the researchers' hacking arsenal: an eavesdropping antenna to pick up and read patient information; a transmitting antenna to send disruptive instructions to the ICD; an oscilloscope to visualize and record signals sent to and from the device; and a universal software radio peripheral (USRP), a device that allowed them to create a software radio on their computer.

"Our results show that wireless transmissions disclose private data," they wrote, including a patient's name, birth date, medical history and ID number as well as the treating physician's name and contact information, and the ICD model and serial number. (All of this information was created specifically for the research project—no actual patient data was used.)

"All of the same security mistakes are made again and again," Evron says. "As long as people write [software], there will be bugs and vulnerabilities because secure design is never really followed."

Protecting implanted medical aids is tricky because manufacturers must avoid security measures that could cause the devices' batteries to run down or otherwise impede their lifesaving functions. The researchers propose that makers incorporate "zero-power" defenses into future designs, such as radio-frequency identification tags that create vibrations or audibly alert the patient of possible tampering without sapping battery power.

"The first thing to do is not scare people," Evron says, noting that such mischief is unlikely at this point. But he says it's important to keep on top of the issue, given the potential for trouble. "We should bring computer and security development into the realm of medical devices," he says, "so we aren't faced with security risks 10 or 15 years from now."